How Mega-Breaches Could Literally Kill You

It was not very long ago that information shared with your doctor was sacrosanct, at the same remove from exposure as utterances made under the protection of an attorney-client relationship or pillow talk in a spousal bed. That may no longer be the case — and the fallout could be life-threatening.

Unless you are living off the grid in a log cabin on Loon Lake, you have heard about the mega-breaches responsible for this paradigm shift. Unfortunately the likelihood is that the dark days of lax or nonexistent data security practices are by no means behind us.

If you doubt that, consider for a moment that it was only a year ago the media sirens alerted the world to what would be the biggest mega-breach involving healthcare information. Although it took a while for the whole story to emerge, we learned that more than 80 million customers of Anthem were exposed in a giant breach that included Social Security numbers (SSNs) and other kinds of sensitive personally identifiable information. A scant three months later, in March 2015, Premera began notifying 11 million members that personal information (this time including Social Security numbers and medical records) somehow found its way into enemy territory — swiped, as it were, by an unknown party.

The revelation that medical histories had been exposed was serious. The potential damage that could be wrought by evil-doing third parties using Social Security numbers was no small thing. The victims of both the Anthem and Premera breaches will be looking over their shoulders for the rest of their lives — forever exposed to the possibility of crimes ranging from credit card account take-overs to tax refund fraud based on the compromise of their SSNs. (If you do have reason to believe your SSN was compromised, you may want to keep an eye on your credit as unexpected changes can signal potential identity theft. You can do so by pulling your credit reports for free each year on AnnualCreditReport.com and viewing your credit scores for free each month on Credit.com.)

With the addition of medical records in the mix, there was the potential for new more terrifying kinds of attacks — extortion using the threat of leaking embarrassing, private medical information and theft of healthcare services, which could cause a person to be denied timely healthcare, not to mention all those other crimes you can’t even imagine until they are announced on the nightly news.

As if that weren’t enough, in June, the Office of Personnel Management — the human resources department of the U.S., (including its spies) — announced perhaps the most devastating breach of all. Somewhere between 18 and 32 million records were floating in the wind (possibly higher, most often pegged at 22 million). More accurately, those incredibly sensitive records were in the possession of a hostile third party. The OPM hack included millions of the most intimate details revealed (or uncovered) during security clearance evaluation background checks for present and former government employees, contractors, family members of candidates, their friends and even employees of airlines.
The latest news from the OPM breach is that the information leaked could lead to espionage for any number of reasons, many of them not quite aspiring to inclusion in a Robert Ludlum narrative. The threat was discussed recently on CNN:
“You have an enduring threat from a counterintelligence perspective,” William Evanina, the National Counterintelligence Executive and director of National Counterintelligence and Security Center, told CNN in a telephone interview. “The threat is now, and it is enduring. If they decide to compromise me, they may do it now, they may do it in three years.”

The counterintelligence campaign currently underway is specifically designed to warn current and former government employees and contractors whose information was exposed by the breach that their information could be used by an operative to strike up a conversation. Armed with personal details, this operative could quickly form a bond by talking about mutual interests or life experiences. It’s creepy, and the threat is very real.

But What Does That Have to Do With Healthcare?

Two of the above breaches include medical histories. The secrets and most personal details of the people affected are no longer secure, and the repercussions could be life-threatening.

Will people hesitate to see a doctor about a complaint that they would not want a third party to know about? Let’s say someone contracts a sexually communicated disease, and they decide rather than have that on their personal record—and risk exposure—they will purchase the antibiotics mentioned in an online article about the treatment of this or that disease. (It’s not that far-fetched. A London HIV clinic accidentally leaked 780 patient email addresses in September 2015). And let’s say that person is allergic to that prescription. Another scenario could well be a mental health crisis, where a person in dire need of help forgoes treatment for fear of exposure to hackers. That second scenario could not only result in the individual hurting his or herself, it could also endanger the lives of others.

While it is fair to counter that the above is incendiary and dire, it is not beyond the realm of the possible as breaches go from a regular occurrence to the third certainty in life. Now more than ever, it is time for the healthcare community to rise to the challenges of the date security issues that we face, and close the gates because the cyber barbarians are everywhere.